Hello,
I am trying to make my client, developed for OpenLDAP also compatible with Oracle DSEE. Oracle DSEE is missing support for simple paged results, which I use. Yet, ODSEE supports virtual list view with server-side sorting. I adjusted my code, to use that - VLV+SSS as a fallback whenever the server does not support paged results and supports VLV+SSS, like ODSEE.
Is it possible to disable OpenLDAP server-side support of simple paged results control, so the OpenLDAP server would respond that this control is unavailable?
I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me many times, in past. Can OpenLDAP be configured to do what I need, so I could test my fallback code in the client using an OpenLDAP server?
Thank you,
Igor Shmukler
OK, I might have found the setting: olcSizeLimit: size.prtotal=disabled
Thank you
On Thu, Aug 27, 2015 at 1:46 PM, Igor Shmukler igor.shmukler@gmail.com wrote:
Hello,
I am trying to make my client, developed for OpenLDAP also compatible with Oracle DSEE. Oracle DSEE is missing support for simple paged results, which I use. Yet, ODSEE supports virtual list view with server-side sorting. I adjusted my code, to use that - VLV+SSS as a fallback whenever the server does not support paged results and supports VLV+SSS, like ODSEE.
Is it possible to disable OpenLDAP server-side support of simple paged results control, so the OpenLDAP server would respond that this control is unavailable?
I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me many times, in past. Can OpenLDAP be configured to do what I need, so I could test my fallback code in the client using an OpenLDAP server?
Thank you,
Igor Shmukler
Hello,
Sorry, I am [still] having problems disabling paged results. The below LDIF is not working: dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: size.prtotal=disabled
What is wrong with the LDIF? It was successfully applied using ldapmodify(1), yet my server still does not throw an unsupported control, instead providing clients with paged results.
Thank you.
On Thu, Aug 27, 2015 at 2:23 PM, Igor Shmukler igor.shmukler@gmail.com wrote:
OK, I might have found the setting: olcSizeLimit: size.prtotal=disabled
Thank you
On Thu, Aug 27, 2015 at 1:46 PM, Igor Shmukler igor.shmukler@gmail.com wrote:
Hello,
I am trying to make my client, developed for OpenLDAP also compatible with Oracle DSEE. Oracle DSEE is missing support for simple paged results, which I use. Yet, ODSEE supports virtual list view with server-side sorting. I adjusted my code, to use that - VLV+SSS as a fallback whenever the server does not support paged results and supports VLV+SSS, like ODSEE.
Is it possible to disable OpenLDAP server-side support of simple paged results control, so the OpenLDAP server would respond that this control is unavailable?
I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me many times, in past. Can OpenLDAP be configured to do what I need, so I could test my fallback code in the client using an OpenLDAP server?
Thank you,
Igor Shmukler
On Thu, 27 Aug 2015, Igor Shmukler wrote:
olcSizeLimit: size.prtotal=disabled
What is wrong with the LDIF? It was successfully applied using ldapmodify(1), yet my server still does not throw an unsupported control, instead providing clients with paged results.
You can see how prtotal=disabled is supposed to work with test025, e.g.
$ ../clients/tools/ldapsearch -P 3 -x -S uid -b 'dc=example,dc=com' -h localhost -p 9011 -w secret -D 'cn=Paged Results Disabled User,ou=Paged Results Users,dc=example,dc=com' -E '!pr=5/noprompt' -b 'dc=example,dc=com' '(objectClass=*)' # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# search result search: 2 result: 11 Administrative limit exceeded text: pagedResults control not allowed
# numResponses: 1
so perhaps turn up your slapd logging and see if you're sending that result. And you mention "unsupported control," but these are administrative limits, it's not like this deletes the code from slapd. For example again with test025 and assuming you don't --enable-sssvlv=yes:
$ ../clients/tools/ldapsearch -P 3 -x -S uid -b 'dc=example,dc=com' -h localhost -p 9011 -E '!sss=mail:caseIgnoreIA5Match' -b 'dc=example,dc=com' '(objectClass=*)' # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL # with server side sorting critical control #
# search result search: 2 result: 12 Critical extension is unavailable text: critical extension is not recognized
# numResponses: 1
Note that one practical, albeit somewhat evil, method to deal with confused clients can be to disallow them access to the supportedControl.
# VLV, for instance access to dn.exact="" attrs=supportedControl val/objectIdentifierMatch.exact=2.16.840.1.113730.3.4.9 by <foolishClient> none
Hello Aaron,
Thank you for responding. I am still trying to process your email. Hopefully, I understand some of your suggestions. Thank you for referring me to test025. I would be delighted to get: "Unavailable Critical Extension" in return for simple paged results request. My problem is that the server does not return anything reflecting that paged results control is disabled. Please take a look: # search result search: 4 result: 0 Success control: 1.2.840.113556.1.4.319 false MA0CAQAECA8AAAAAAAAA pagedresults: cookie=DwAAAAAAAAA= # extended LDIF # # LDAPv3 # base <dc=sssvlv,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# ffanco, sssvlv.com dn: cn=ffanco,dc=sssvlv,dc=com sn: Fanco ipPhone: 20006 givenName: Franc mail: ffanco@spain.gov.es
Hence, my question is whether I did something wrong while attempting to disable paged results.
Sincerely,
Igor Shmukler
On Thu, Aug 27, 2015 at 4:37 PM, Aaron Richton richton@nbcs.rutgers.edu wrote:
On Thu, 27 Aug 2015, Igor Shmukler wrote:
olcSizeLimit: size.prtotal=disabled
What is wrong with the LDIF? It was successfully applied using ldapmodify(1), yet my server still does not throw an unsupported control, instead providing clients with paged results.
You can see how prtotal=disabled is supposed to work with test025, e.g.
$ ../clients/tools/ldapsearch -P 3 -x -S uid -b 'dc=example,dc=com' -h localhost -p 9011 -w secret -D 'cn=Paged Results Disabled User,ou=Paged Results Users,dc=example,dc=com' -E '!pr=5/noprompt' -b 'dc=example,dc=com' '(objectClass=*)' # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL # with pagedResults critical control: size=5 #
# search result search: 2 result: 11 Administrative limit exceeded text: pagedResults control not allowed
# numResponses: 1
so perhaps turn up your slapd logging and see if you're sending that result. And you mention "unsupported control," but these are administrative limits, it's not like this deletes the code from slapd. For example again with test025 and assuming you don't --enable-sssvlv=yes:
$ ../clients/tools/ldapsearch -P 3 -x -S uid -b 'dc=example,dc=com' -h localhost -p 9011 -E '!sss=mail:caseIgnoreIA5Match' -b 'dc=example,dc=com' '(objectClass=*)' # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL # with server side sorting critical control #
# search result search: 2 result: 12 Critical extension is unavailable text: critical extension is not recognized
# numResponses: 1
Note that one practical, albeit somewhat evil, method to deal with confused clients can be to disallow them access to the supportedControl.
# VLV, for instance access to dn.exact="" attrs=supportedControl val/objectIdentifierMatch.exact=2.16.840.1.113730.3.4.9 by <foolishClient> none
On Thu, 27 Aug 2015, Igor Shmukler wrote:
search: 4 result: 0 Success
obviously isn't
result: 11 Administrative limit exceeded text: pagedResults control not allowed
so yeah, that prtotal=disabled doesn't seem to hit. I'd turn up slapd logging and see what's going on. (Are you positive that your bindDN is subject to your prtotal clause?)
Aaron,
I don't know what is happening, hence tried to tap into collective wisdom. My LDIF was written to disable paged search for everyone, hence dn: cn=config
If I knew how the rule should be written, I would not bother smart people.
Sincerely,
Igor Shmukler
On Thu, Aug 27, 2015 at 5:50 PM, Aaron Richton richton@nbcs.rutgers.edu wrote:
On Thu, 27 Aug 2015, Igor Shmukler wrote:
search: 4 result: 0 Success
obviously isn't
result: 11 Administrative limit exceeded text: pagedResults control not allowed
so yeah, that prtotal=disabled doesn't seem to hit. I'd turn up slapd logging and see what's going on. (Are you positive that your bindDN is subject to your prtotal clause?)
On Thu, Aug 27, 2015 at 01:46:53PM +0300, Igor Shmukler wrote:
Is it possible to disable OpenLDAP server-side support of simple paged results control, so the OpenLDAP server would respond that this control is unavailable?
I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me many times, in past. Can OpenLDAP be configured to do what I need, so I could test my fallback code in the client using an OpenLDAP server?
Have a look at the RETCODE overlay: slapo-retcode(5) - this should allow you to return whatever error codes you like to your client during testing.
Andrew
openldap-technical@openldap.org
-
Aaron Richton -
Andrew Findlay -
Igor Shmukler